WebSitePulse 2015 Valentine's Day Retail Performance Report

February 20th, 2015
Posted in Monitoring

Click to Enlarge

Security notification for CVE-2015-0235 (GHOST vulnerability)

January 28th, 2015
Posted in Industry News, WebSitePulse News, Tech

A significant Linux vulnerability that allows remote code execution to Linux server(s) was announced late yesterday, named GHOST: CVE-2015-023. Full details of the vulnerability are available at http://www.openwall.com/lists/oss-security/2015/01/27/9. While the issue has been fixed as early as Mar 21, 2013 it was not marked as a security threat and as a result the patch was not backported to most of the stable and long-term-support distributions like RHEL, Centos, Ubuntu 12.04 etc which left them vulnerable.

Updates for CentOS are already available in the Updates repository so a simple "yum update" will install the required patches to mitigate this vulnerability.

Qualys have provided a simple C program to test if a machine is vulnerable

cat > GHOST.c << EOF
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}
EOF

$ gcc GHOST.c -o GHOST
$ ./GHOST

We have verified that all WebSitePulse servers have latest updates installed and are not vulnerable.

 

 

 

 

WebSitePulse 2014 Holiday Retail Performance and Uptime Report

January 20th, 2015
Posted in Monitoring

Click to Enlarge

The 2014 Holiday Season is over and so is the shopping fever. The analytics company Retail Next noted a 4% rise in sales compared to last year due to a much stronger online purchasing.

According to Shelley Kohan, vice president of retail consulting at RetailNext, "The online promotions that came out early in November really took a lot out of the brick-and-mortar business as they captured the shopper very early this year" (reuters.com).

Considering the above, we can’t stress more on the need of maintaining a perfect website performance and availability. The more people visit your website, the harder it becomes to maintain low response time and high uptime. And, these two are important if you care enough about your customers’ flawless shopping experience and your sales or conversions.

We monitored 11 of the most popular websites for gifts during the Holiday Season (November 24, 2014 – January 04, 2015) in order to see whether they could bear possible heavy traffic load during the shopping fever.

Most of them demonstrated excellent uptime – above 99.5%.

As for the response time – it varied between 2 and 12 seconds, meaning that some websites were caught off guard during traffic surges.

To see the detailed daily reports, visit www.websitepulse.com

WebSitePulse 2014 Hurricane Season Web Performance and Uptime Report

November 20th, 2014
Posted in Monitoring

Click to Enlarge

The 2014 hurricane season is over and according to Weather.com, it was “one of contrasts and paradoxes.”

The reason behind is that the Atlantic basin produced the fewest tropical cyclones and named storms since 1997, and at the same time – it brought the strongest landfalling hurricane in the mainland U.S, in six years, and the strongest hurricane in four years, according to the website.

These weather swings have been neatly reported by the weather websites which must have been well-prepared to bear heavy traffic load during the times of unexpected weather occurrings.

We decided to monitor 5 of the most popular websites to see whether they managed to cope with unforeseen traffic surges. And, here’s what we found out:

  • Three out of five websites demonstrated perfect average response time – below one second.
  • Nhc.noaa.gov scored the lowest of all response time – 0.39 seconds; last year, the same website demonstrated enviable performance as it had the lowest response time again
  • Salvationarmy.org reached 2.4 seconds of response time which is much higher than last year’s when it was only 0.9. That contrast only shows that the high response time this year was simply accidental
  • The uptime (availability) of all monitored targets was above 99.85%

The stats above show that the monitored websites were up and running throughout the whole period and did no experience any major downfalls. Also, most of them loaded quite fast so visitors were able to receive the important weather updates almost instantly.

For more details, check the daily reports at www.websitepulse.com

 

 

 

Security Notification for SSLv3 POODLE Vulnerability

October 16th, 2014
Posted in Industry News, WebSitePulse News

As you probably know, a number of news sources, corporations, and the OpenSSL team reported yesterday 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is vulnerable at the protocol level. More information about the vulnerability can be found here -  CVE-2014-3566.

To prevent any potential leaks from this vulnerability we have immediately disabled SSLv3 on all our web servers including the API endpoints. Our monitoring agents are not affected by this change and will continue to support SSLv3 for the time being in order to be able to monitor properly servers that do support SSLv3 only. We are urging all customers to disable SSLv3 on hosts interacting with the our services as soon as possible and upgrade to use Transport Layer Service (TLS).

Here are a few samples how to configure your potentially vulnerable services and disable SSLv3.

 

Apache

Change all SSLProtocol directives in your httpd config to

ALL -SSLv2 -SSLv3

and restart the server.

Nginx

Add/edit the the following text to your server directive

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you can't  disable SSL 3.0 entirely,  there is TLS_FALLBACK_SCSV  patch that can help avoid the attack, if both the client and the server support it.